Risk Assessment in the Spotlight

OCRRisk assessment for healthcare providers and business associates is again in the spotlight.   The Department of Health and Human Services is gearing up for a new round of HIPAA audits.   At this point they are surveying 1200 firms and will include business associates.   The results of the survey will be hundreds of audits.  Of continued interest in this round are risk assessments.

Why does risk assessment keep jumping to the front?   Any time we hear of a breach of personal information an investigation follows.   It's very rare that an organization has done nothing to secure data.   The problem is they've done the wrong things.

Risk Assessment is the missing first step in the processing of establishing an effective Information Security program.   It creates a prioritized roadmap for firms to address information security issues.   In short, it tells an organization where to spend their time and money most effectively.  

Too many organizations fall victim to product based compliance schemes thinking that purchasing specific software or hardware products will make them HIPAA compliant.  

When risk assessment is cited as a shortfall, it's a good sign the organization was spending money on security, but wasn't making informed decisions.

The difference between demonstrating due diligence in securing information assets and not can sometimes be as simple as producing the results from an annual risk assessment.   

"We understood that risk, but didn't mitigate it as well as we could," is very different than saying "We never throughout about that risk and instead thought our anti-virus would protect us."   

Resulting costs can include millions of dollars and significant patient attrition.

HIPAA and Meaningful Use

Patient Data
Compliance with CFR Title 45: Public Welfare, PART 164—Security and Privacy is a daunting task and meeting CMS Meaningful Use requirements includes HIPAA Risk Assessment.

Working Security will walk you through every Required and Addressable Standard in HIPAA, ensure you've completed the underlying Risk Assessments, Information System Activity Reviews, and created policies required to achieve compliance with health care privacy standards in the Security Rule.

Beyond a simple policy review, we:

  • Test your network for vulnerabilities
  • Check physical security controls for your offices
  • Train staff on Information Security best practices

We also work with your I/T department or vendor to establish a prioritized plan of action so your practice will make solid improvements over time and meet your compliance objectives.

Illinois Health Care Association


Thank you to the Illinois Health Care Association for the opportunity to present HIPAA Risk Assessment and Mitigation.   The Illinois Health Care Association is a non-profit organization comprised of more that 375 licensed and certified long term care facility and programs throughout the state.   We presented with Mason Rothert from Mediprocity a leading secure messaging platform for health care professionals.

St. Louis Metropolitan Medical Society

Chief Security Officer Dennis King authored a recent article in the Saint Louis Metropolitan Medical Society Journal highlighting the changes to HIPAA regulations and cybersecurity risks facing healthcare providers in 2013. The article appeared in the April/May issue of the SLMMS Journal.

The 2013 Omnibus Rule released on January 17th is the next step in over 16 years of protected healthcare information (PHI) regulation. With this update, also known as the “Final Rule,” the Department of Health and Human Services provided clarification on what Covered Entities, Business Associates, and sub-contractors must do to secure Protected Health Information.

The Department of Health and Human Services - Office of Civil Rights Director Leon Rodriguez told an audience this year, “Breaches will happen. It’s the ‘willful neglect’ that could lead to trouble for a covered entity or business associate.” “The real purpose of breach notification is for covered entities to identify the vulnerabilities that resulted in the breach, remedy those vulnerabilities in an immediate and decisive manner,” said Rodriguez.

The article discusses new HIPAA requirements, what healthcare providers must do between now and September, and the sources and frequency of cyber security threats.